Splunk Search

How can I use a combination of map and sendemail to include spaces in the field values?

stembot
New Member

I have a search that uses the values in temp.csv file to generate an email for each row with specific values.

Let's say the csv looks like this
field1, field2
john doe, blah
bob smith, stuff

The search looks like this (quotes within the subsearch are escaped, just not showing here):
| inputlookup temp.csv | map search="| sendemail to=$field2$ subject=\"subject line\" from=def@456.com message=\"test test $field1$ test test \""

My problem is that when the field value (field1 in the search above) contains a space it stops populating the email after the space and sends it as is. It doesn't seem to have an issue with spaces in text specified at search time.

Tags (2)
0 Karma

mcronkrite
Splunk Employee
Splunk Employee

ramanjain1983
Path Finder

Hi guys,

I should have opened a new question but thought this is quite related. Hence adding to the thread.
I am trying to do something similar but the challenge I am seeing that everytime the message is going as literal text string and doesn't look very nicely formatted.

Query is :
index=abc | table line1 line2 EmailID subject
|eval freetext="line1=".line1.";""Line2=".Line2
| map search="
|sendemail server=test.server from=splunk@test.com to=$EmailID$ subject=$subject$" message=$freetext$

This query goes into a loop for all individual rows and send an email to respective/individual EmailIDs having freetext printed as :

Line=sampledata1;Line2=sampledata2

However I am expecting to send the data in this format:

Line=sampledata1
Line2=sampledata2

Any idea? Indeed Line 2 is a URL.

ramanjain1983
Path Finder

sorry guys... I found the solution by my own. To my strange the same solution did not work back in older splunk version and worked fine in 6.2.

It is just we need to escape the line out using shift+ enter while creating the message string

0 Karma

masonmorales
Influencer

As a workaround you could probably do:

| inputlookup temp.csv | replace " " with "_" in field1 | map search="| sendemail to=$field2$ subject="subject line" from=def@456.com message="test test $field1$ test test ""

thambisetty
SplunkTrust
SplunkTrust

this is not working for me.

2020-04-26 16:43:42,996 +0400 WARNING sendemail:1505 - search results is empty, no email will be sent

————————————
If this helps, give a like below.
0 Karma

mcronkrite
Splunk Employee
Splunk Employee

this is the right approach - thx

0 Karma

mcronkrite
Splunk Employee
Splunk Employee
0 Karma

karabsze
Path Finder

We meet the same issue too. Checked in the search log, it seems that the field with space are failed to be substitute. Anyone has idea about that?

0 Karma

stembot
New Member

Hi karabsze, I had this email from Splunk Support back on March 4th.


Just an update on the issue.
We have fixed the issue of handling variable name with quoted values inside the quotes. This will be included in the next maintance release, 6.1.8, scheduled in the 2nd half of May.
Thank you for your patience on the matter, much appreciated and feel free to ask should you have any more questions on this.
Best regards,

Sung | Splunk Support

I got around the original problem by just using the first name so never tested to see if the issue remained post-6.1.8. Hope that helps.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...